CVE-2026-32886: Parse Server's Cloud function dispatch crashes server via prototype chain traversal

March 17, 2026

Remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow.

References

github.com/advisories/GHSA-4263-jgmp-7pf4
github.com/parse-community/parse-server
github.com/parse-community/parse-server/pull/10210
github.com/parse-community/parse-server/pull/10211
github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4
nvd.nist.gov/vuln/detail/CVE-2026-32886

Code Behaviors & Features

Detect and mitigate CVE-2026-32886 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →